draft-ietf-httpbis-rfc6265bis-05.txt   draft-ietf-httpbis-rfc6265bis-06.txt 
HTTP M. West, Ed. HTTP M. West, Ed.
Internet-Draft Google, Inc Internet-Draft Google, Inc
Obsoletes: 6265 (if approved) J. Wilander, Ed. Obsoletes: 6265 (if approved) J. Wilander, Ed.
Intended status: Standards Track Apple, Inc Intended status: Standards Track Apple, Inc
Expires: August 8, 2020 February 5, 2020 Expires: October 22, 2020 April 20, 2020
Cookies: HTTP State Management Mechanism Cookies: HTTP State Management Mechanism
draft-ietf-httpbis-rfc6265bis-05 draft-ietf-httpbis-rfc6265bis-06
Abstract Abstract
This document defines the HTTP Cookie and Set-Cookie header fields. This document defines the HTTP Cookie and Set-Cookie header fields.
These header fields can be used by HTTP servers to store state These header fields can be used by HTTP servers to store state
(called cookies) at HTTP user agents, letting the servers maintain a (called cookies) at HTTP user agents, letting the servers maintain a
stateful session over the mostly stateless HTTP protocol. Although stateful session over the mostly stateless HTTP protocol. Although
cookies have many historical infelicities that degrade their security cookies have many historical infelicities that degrade their security
and privacy, the Cookie and Set-Cookie header fields are widely used and privacy, the Cookie and Set-Cookie header fields are widely used
on the Internet. This document obsoletes RFC 6265. on the Internet. This document obsoletes RFC 6265.
skipping to change at page 1, line 47 skipping to change at page 1, line 47
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 8, 2020. This Internet-Draft will expire on October 22, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 43 skipping to change at page 3, line 43
8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 41 8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 41
8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 42 8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 42
8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 42 8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 42
8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 42 8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 42
8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 42 8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 42
8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 43 8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 43
8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 43 8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 43
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 44 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 44
9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 44 9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 44
9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 44 9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 44
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 44 9.3. Cookie Attribute Registry . . . . . . . . . . . . . . . . 44
10.1. Normative References . . . . . . . . . . . . . . . . . . 44 9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 44
10.2. Informative References . . . . . . . . . . . . . . . . . 46 9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 45
10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 47 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 45
Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 48 10.1. Normative References . . . . . . . . . . . . . . . . . . 45
A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 48 10.2. Informative References . . . . . . . . . . . . . . . . . 47
A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 49 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 48
A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 49 Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 50
A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 50 A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 50
A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 50 A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 50
A.6. draft-ietf-httpbis-rfc6265bis-05 . . . . . . . . . . . . 50 A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 50
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 50 A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 51
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 51 A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 51
A.6. draft-ietf-httpbis-rfc6265bis-05 . . . . . . . . . . . . 52
A.7. draft-ietf-httpbis-rfc6265bis-06 . . . . . . . . . . . . 52
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 52
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 52
1. Introduction 1. Introduction
This document defines the HTTP Cookie and Set-Cookie header fields. This document defines the HTTP Cookie and Set-Cookie header fields.
Using the Set-Cookie header field, an HTTP server can pass name/value Using the Set-Cookie header field, an HTTP server can pass name/value
pairs and associated metadata (called cookies) to a user agent. When pairs and associated metadata (called cookies) to a user agent. When
the user agent makes subsequent requests to the server, the user the user agent makes subsequent requests to the server, the user
agent uses the metadata and other information to determine whether to agent uses the metadata and other information to determine whether to
return the name/value pairs in the Cookie header. return the name/value pairs in the Cookie header.
skipping to change at page 5, line 43 skipping to change at page 5, line 47
notation of [RFC5234]. notation of [RFC5234].
The following core rules are included by reference, as defined in The following core rules are included by reference, as defined in
[RFC5234], Appendix B.1: ALPHA (letters), CR (carriage return), CRLF [RFC5234], Appendix B.1: ALPHA (letters), CR (carriage return), CRLF
(CR LF), CTLs (controls), DIGIT (decimal 0-9), DQUOTE (double quote), (CR LF), CTLs (controls), DIGIT (decimal 0-9), DQUOTE (double quote),
HEXDIG (hexadecimal 0-9/A-F/a-f), LF (line feed), NUL (null octet), HEXDIG (hexadecimal 0-9/A-F/a-f), LF (line feed), NUL (null octet),
OCTET (any 8-bit sequence of data except NUL), SP (space), HTAB OCTET (any 8-bit sequence of data except NUL), SP (space), HTAB
(horizontal tab), CHAR (any [USASCII] character), VCHAR (any visible (horizontal tab), CHAR (any [USASCII] character), VCHAR (any visible
[USASCII] character), and WSP (whitespace). [USASCII] character), and WSP (whitespace).
The OWS (optional whitespace) rule is used where zero or more linear The OWS (optional whitespace) and BWS (bad whitespace) rules are
whitespace characters MAY appear: defined in Section 3.2.3 of [RFC7230].
OWS = *( [ obs-fold ] WSP )
; "optional" whitespace
obs-fold = CRLF
OWS SHOULD either not be produced or be produced as a single SP
character.
2.3. Terminology 2.3. Terminology
The terms "user agent", "client", "server", "proxy", and "origin The terms "user agent", "client", "server", "proxy", and "origin
server" have the same meaning as in the HTTP/1.1 specification server" have the same meaning as in the HTTP/1.1 specification
([RFC7230], Section 2). ([RFC7230], Section 2).
The request-host is the name of the host, as known by the user agent, The request-host is the name of the host, as known by the user agent,
to which the user agent is sending an HTTP request or from which it to which the user agent is sending an HTTP request or from which it
is receiving an HTTP response (i.e., the name of the host to which it is receiving an HTTP response (i.e., the name of the host to which it
skipping to change at page 6, line 43 skipping to change at page 6, line 43
The term "origin", the mechanism of deriving an origin from a URI, The term "origin", the mechanism of deriving an origin from a URI,
and the "the same" matching algorithm for origins are defined in and the "the same" matching algorithm for origins are defined in
[RFC6454]. [RFC6454].
"Safe" HTTP methods include "GET", "HEAD", "OPTIONS", and "TRACE", as "Safe" HTTP methods include "GET", "HEAD", "OPTIONS", and "TRACE", as
defined in Section 4.2.1 of [RFC7231]. defined in Section 4.2.1 of [RFC7231].
A domain's "public suffix" is the portion of a domain that is A domain's "public suffix" is the portion of a domain that is
controlled by a public registry, such as "com", "co.uk", and controlled by a public registry, such as "com", "co.uk", and
"pvt.k12.wy.us" [PSL]. A domain's "registrable domain" is the "pvt.k12.wy.us". A domain's "registrable domain" is the domain's
domain's public suffix plus the label to its left. That is, for public suffix plus the label to its left. That is, for
"https://www.site.example", the public suffix is "example", and the "https://www.site.example", the public suffix is "example", and the
registrable domain is "site.example". This concept is defined more registrable domain is "site.example". Whenever possible, user agents
rigorously in [PSL], which specifies a formal algorithm to obtain SHOULD use an up-to-date public suffix list, such as the one
both. maintained by the Mozilla project at [PSL].
The term "request", as well as a request's "client", "current url", The term "request", as well as a request's "client", "current url",
"method", and "target browsing context", are defined in [FETCH]. "method", and "target browsing context", are defined in [FETCH].
3. Overview 3. Overview
This section outlines a way for an origin server to send state This section outlines a way for an origin server to send state
information to a user agent and for the user agent to return the information to a user agent and for the user agent to return the
state information to the origin server. state information to the origin server.
skipping to change at page 10, line 5 skipping to change at page 10, line 5
server to the user agent. server to the user agent.
4.1.1. Syntax 4.1.1. Syntax
Informally, the Set-Cookie response header contains the header name Informally, the Set-Cookie response header contains the header name
"Set-Cookie" followed by a ":" and a cookie. Each cookie begins with "Set-Cookie" followed by a ":" and a cookie. Each cookie begins with
a name-value-pair, followed by zero or more attribute-value pairs. a name-value-pair, followed by zero or more attribute-value pairs.
Servers SHOULD NOT send Set-Cookie headers that fail to conform to Servers SHOULD NOT send Set-Cookie headers that fail to conform to
the following grammar: the following grammar:
set-cookie-header = "Set-Cookie:" SP set-cookie-string set-cookie-header = "Set-Cookie:" SP BWS set-cookie-string
set-cookie-string = cookie-pair *( ";" SP cookie-av ) set-cookie-string = BWS cookie-pair *( BWS ";" OWS cookie-av )
cookie-pair = cookie-name "=" cookie-value cookie-pair = cookie-name BWS "=" BWS cookie-value
cookie-name = token cookie-name = 1*cookie-octet
cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE ) cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E / %x80-FF
; US-ASCII characters excluding CTLs, ; US-ASCII characters excluding CTLs,
; whitespace DQUOTE, comma, semicolon, ; whitespace DQUOTE, comma, semicolon,
; and backslash ; and backslash
token = <token, defined in [RFC7230], Section 3.2.6>
cookie-av = expires-av / max-age-av / domain-av / cookie-av = expires-av / max-age-av / domain-av /
path-av / secure-av / httponly-av / path-av / secure-av / httponly-av /
samesite-av / extension-av samesite-av / extension-av
expires-av = "Expires=" sane-cookie-date expires-av = "Expires" BWS "=" BWS sane-cookie-date
sane-cookie-date = sane-cookie-date =
<IMF-fixdate, defined in [RFC7231], Section 7.1.1.1> <IMF-fixdate, defined in [RFC7231], Section 7.1.1.1>
max-age-av = "Max-Age=" non-zero-digit *DIGIT max-age-av = "Max-Age" BWS "=" BWS non-zero-digit *DIGIT
; In practice, both expires-av and max-age-av ; In practice, both expires-av and max-age-av
; are limited to dates representable by the ; are limited to dates representable by the
; user agent. ; user agent.
non-zero-digit = %x31-39 non-zero-digit = %x31-39
; digits 1 through 9 ; digits 1 through 9
domain-av = "Domain=" domain-value domain-av = "Domain" BWS "=" BWS domain-value
domain-value = <subdomain> domain-value = <subdomain>
; defined in [RFC1034], Section 3.5, as ; defined in [RFC1034], Section 3.5, as
; enhanced by [RFC1123], Section 2.1 ; enhanced by [RFC1123], Section 2.1
path-av = "Path=" path-value path-av = "Path" BWS "=" BWS path-value
path-value = *av-octet path-value = *av-octet
secure-av = "Secure" secure-av = "Secure"
httponly-av = "HttpOnly" httponly-av = "HttpOnly"
samesite-av = "SameSite=" samesite-value samesite-av = "SameSite" BWS "=" BWS samesite-value
samesite-value = "Strict" / "Lax" / "None" samesite-value = "Strict" / "Lax" / "None"
extension-av = *av-octet extension-av = *av-octet
av-octet = %x20-3A / %x3C-7E av-octet = %x20-3A / %x3C-7E
; any CHAR except CTLs or ";" ; any CHAR except CTLs or ";"
Note that some of the grammatical terms above reference documents Note that some of the grammatical terms above reference documents
that use different grammatical notations than this document (which that use different grammatical notations than this document (which
uses ABNF from [RFC5234]). uses ABNF from [RFC5234]).
The semantics of the cookie-value are not defined by this document. The semantics of the cookie-value are not defined by this document.
To maximize compatibility with user agents, servers that wish to To maximize compatibility with user agents, servers that wish to
store arbitrary data in a cookie-value SHOULD encode that data, for store arbitrary data in a cookie-value SHOULD encode that data, for
example, using Base64 [RFC4648]. example, using Base64 [RFC4648].
skipping to change at page 16, line 15 skipping to change at page 16, line 15
4.2. Cookie 4.2. Cookie
4.2.1. Syntax 4.2.1. Syntax
The user agent sends stored cookies to the origin server in the The user agent sends stored cookies to the origin server in the
Cookie header. If the server conforms to the requirements in Cookie header. If the server conforms to the requirements in
Section 4.1 (and the user agent conforms to the requirements in Section 4.1 (and the user agent conforms to the requirements in
Section 5), the user agent will send a Cookie header that conforms to Section 5), the user agent will send a Cookie header that conforms to
the following grammar: the following grammar:
cookie-header = "Cookie:" OWS cookie-string OWS cookie-header = "Cookie:" SP cookie-string
cookie-string = cookie-pair *( ";" SP cookie-pair ) cookie-string = cookie-pair *( ";" SP cookie-pair )
4.2.2. Semantics 4.2.2. Semantics
Each cookie-pair represents a cookie stored by the user agent. The Each cookie-pair represents a cookie stored by the user agent. The
cookie-pair contains the cookie-name and cookie-value the user agent cookie-pair contains the cookie-name and cookie-value the user agent
received in the Set-Cookie header. received in the Set-Cookie header.
Notice that the cookie attributes are not returned. In particular, Notice that the cookie attributes are not returned. In particular,
the server cannot determine from the Cookie header alone when a the server cannot determine from the Cookie header alone when a
skipping to change at page 28, line 28 skipping to change at page 28, line 28
cookies along with cross-site requests if and only if they are top- cookies along with cross-site requests if and only if they are top-
level navigations which use a "safe" (in the [RFC7231] sense) HTTP level navigations which use a "safe" (in the [RFC7231] sense) HTTP
method. method.
Lax enforcement provides reasonable defense in depth against CSRF Lax enforcement provides reasonable defense in depth against CSRF
attacks that rely on unsafe HTTP methods (like "POST"), but does not attacks that rely on unsafe HTTP methods (like "POST"), but does not
offer a robust defense against CSRF as a general category of attack: offer a robust defense against CSRF as a general category of attack:
1. Attackers can still pop up new windows or trigger top-level 1. Attackers can still pop up new windows or trigger top-level
navigations in order to create a "same-site" request (as navigations in order to create a "same-site" request (as
described in section 5.2.1), which is only a speedbump along the described in Section 5.2.1), which is only a speedbump along the
road to exploitation. road to exploitation.
2. Features like "<link rel='prerender'>" [prerendering] can be 2. Features like "<link rel='prerender'>" [prerendering] can be
exploited to create "same-site" requests without the risk of user exploited to create "same-site" requests without the risk of user
detection. detection.
When possible, developers should use a session management mechanism When possible, developers should use a session management mechanism
such as that described in Section 8.8.2 to mitigate the risk of CSRF such as that described in Section 8.8.2 to mitigate the risk of CSRF
more completely. more completely.
skipping to change at page 31, line 13 skipping to change at page 31, line 13
ignore the cookie entirely. ignore the cookie entirely.
10. If the cookie-attribute-list contains an attribute with an 10. If the cookie-attribute-list contains an attribute with an
attribute-name of "HttpOnly", set the cookie's http-only-flag to attribute-name of "HttpOnly", set the cookie's http-only-flag to
true. Otherwise, set the cookie's http-only-flag to false. true. Otherwise, set the cookie's http-only-flag to false.
11. If the cookie was received from a "non-HTTP" API and the 11. If the cookie was received from a "non-HTTP" API and the
cookie's http-only-flag is true, abort these steps and ignore cookie's http-only-flag is true, abort these steps and ignore
the cookie entirely. the cookie entirely.
12. If the cookie's secure-only-flag is not set, and the scheme 12. If the cookie's secure-only-flag is false, and the scheme
component of request-uri does not denote a "secure" protocol, component of request-uri does not denote a "secure" protocol,
then abort these steps and ignore the cookie entirely if the then abort these steps and ignore the cookie entirely if the
cookie store contains one or more cookies that meet all of the cookie store contains one or more cookies that meet all of the
following criteria: following criteria:
1. Their name matches the name of the newly-created cookie. 1. Their name matches the name of the newly-created cookie.
2. Their secure-only-flag is true. 2. Their secure-only-flag is true.
3. Their domain domain-matches the domain of the newly-created 3. Their domain domain-matches the domain of the newly-created
skipping to change at page 33, line 27 skipping to change at page 33, line 27
At any time, the user agent MAY "remove excess cookies" from the At any time, the user agent MAY "remove excess cookies" from the
cookie store if the cookie store exceeds some predetermined upper cookie store if the cookie store exceeds some predetermined upper
bound (such as 3000 cookies). bound (such as 3000 cookies).
When the user agent removes excess cookies from the cookie store, the When the user agent removes excess cookies from the cookie store, the
user agent MUST evict cookies in the following priority order: user agent MUST evict cookies in the following priority order:
1. Expired cookies. 1. Expired cookies.
2. Cookies whose secure-only-flag is not set, and which share a 2. Cookies whose secure-only-flag is false, and which share a domain
domain field with more than a predetermined number of other field with more than a predetermined number of other cookies.
cookies.
3. Cookies that share a domain field with more than a predetermined 3. Cookies that share a domain field with more than a predetermined
number of other cookies. number of other cookies.
4. All cookies. 4. All cookies.
If two cookies have the same removal priority, the user agent MUST If two cookies have the same removal priority, the user agent MUST
evict the cookie with the earliest last-access-time first. evict the cookie with the earliest last-access-time first.
When "the current session is over" (as defined by the user agent), When "the current session is over" (as defined by the user agent),
skipping to change at page 35, line 29 skipping to change at page 35, line 26
this order reflects common practice when this document was this order reflects common practice when this document was
written, and, historically, there have been servers that written, and, historically, there have been servers that
(erroneously) depended on this order. (erroneously) depended on this order.
3. Update the last-access-time of each cookie in the cookie-list to 3. Update the last-access-time of each cookie in the cookie-list to
the current date and time. the current date and time.
4. Serialize the cookie-list into a cookie-string by processing each 4. Serialize the cookie-list into a cookie-string by processing each
cookie in the cookie-list in order: cookie in the cookie-list in order:
1. Output the cookie's name, the %x3D ("=") character, and the 1. If the cookies' name is not empty, output the cookie's name
cookie's value. followed by the %x3D ("=") character.
2. If there is an unprocessed cookie in the cookie-list, output 2. If the cookies' value is not empty, output the cookie's
value.
3. If there is an unprocessed cookie in the cookie-list, output
the characters %x3B and %x20 ("; "). the characters %x3B and %x20 ("; ").
NOTE: Despite its name, the cookie-string is actually a sequence of NOTE: Despite its name, the cookie-string is actually a sequence of
octets, not a sequence of characters. To convert the cookie-string octets, not a sequence of characters. To convert the cookie-string
(or components thereof) into a sequence of characters (e.g., for (or components thereof) into a sequence of characters (e.g., for
presentation to the user), the user agent might wish to try using the presentation to the user), the user agent might wish to try using the
UTF-8 character encoding [RFC3629] to decode the octet sequence. UTF-8 character encoding [RFC3629] to decode the octet sequence.
This decoding might fail, however, because not every sequence of This decoding might fail, however, because not every sequence of
octets is valid UTF-8. octets is valid UTF-8.
skipping to change at page 43, line 47 skipping to change at page 43, line 47
function as intended with same-site cookies. function as intended with same-site cookies.
8.8.4. Server-controlled 8.8.4. Server-controlled
SameSite cookies in and of themselves don't do anything to address SameSite cookies in and of themselves don't do anything to address
the general privacy concerns outlined in Section 7.1 of [RFC6265]. the general privacy concerns outlined in Section 7.1 of [RFC6265].
The "SameSite" attribute is set by the server, and serves to mitigate The "SameSite" attribute is set by the server, and serves to mitigate
the risk of certain kinds of attacks that the server is worried the risk of certain kinds of attacks that the server is worried
about. The user is not involved in this decision. Moreover, a about. The user is not involved in this decision. Moreover, a
number of side-channels exist which could allow a server to link number of side-channels exist which could allow a server to link
distinct requests even in the absence of cookies. Connection and/or distinct requests even in the absence of cookies (for example,
socket pooling, Token Binding, and Channel ID all offer explicit connection and/or socket pooling between same-site and cross-site
methods of identification that servers could take advantage of. requests).
9. IANA Considerations 9. IANA Considerations
The permanent message header field registry (see [RFC3864]) needs to
be updated with the following registrations.
9.1. Cookie 9.1. Cookie
The permanent message header field registry (see [RFC3864]) needs to
be updated with the following registration:
Header field name: Cookie Header field name: Cookie
Applicable protocol: http Applicable protocol: http
Status: standard Status: standard
Author/Change controller: IETF Author/Change controller: IETF
Specification document: this specification (Section 5.5) Specification document: this specification (Section 5.5)
9.2. Set-Cookie 9.2. Set-Cookie
The permanent message header field registry (see [RFC3864]) needs to
be updated with the following registration:
Header field name: Set-Cookie Header field name: Set-Cookie
Applicable protocol: http Applicable protocol: http
Status: standard Status: standard
Author/Change controller: IETF Author/Change controller: IETF
Specification document: this specification (Section 5.3) Specification document: this specification (Section 5.3)
9.3. Cookie Attribute Registry
The "Cookie Attribute Registry" defines the name space of attribute
used to control cookies' behavior. The registry is maintained at
https://www.iana.org/assignments/cookie-attribute-names [4].
9.3.1. Procedure
Each registered attribute name is associated with a description, and
a reference detailing how the attribute is to be processed and
stored.
New registrations happen on a "RFC Required" basis (see Section 4.7
of [RFC8126]). The attribute to be registered MUST match the
"extension-av" syntax defined in Section 4.1.1. Note that attribute
names are generally defined in CamelCase, but technically accepted
case-insensitively.
9.3.2. Registration
The "Cookie Attribute Registry" will be updated with the
registrations below:
+----------+----------------------------------------+
| Name | Reference |
+----------+----------------------------------------+
| Domain | Section 4.1.2.3 of this document |
| Expires | Section 4.1.2.1 of this document |
| HttpOnly | {{attribute-httponly} of this document |
| Max-Age | {{attribute-max-age} of this document |
| Path | {{attribute-path} of this document |
| SameSite | {{attribute-samesite} of this document |
| Secure | {{attribute-secure} of this document |
+----------+----------------------------------------+
10. References 10. References
10.1. Normative References 10.1. Normative References
[FETCH] van Kesteren, A., "Fetch", n.d., [FETCH] van Kesteren, A., "Fetch", n.d.,
<https://fetch.spec.whatwg.org/>. <https://fetch.spec.whatwg.org/>.
[HTML] Hickson, I., Pieters, S., van Kesteren, A., Jaegenstedt, [HTML] Hickson, I., Pieters, S., van Kesteren, A., Jaegenstedt,
P., and D. Denicola, "HTML", n.d., P., and D. Denicola, "HTML", n.d.,
<https://html.spec.whatwg.org/>. <https://html.spec.whatwg.org/>.
[PSL] "Public Suffix List", n.d.,
<https://publicsuffix.org/list/>.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<https://www.rfc-editor.org/info/rfc1034>. <https://www.rfc-editor.org/info/rfc1034>.
[RFC1123] Braden, R., Ed., "Requirements for Internet Hosts - [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts -
Application and Support", STD 3, RFC 1123, Application and Support", STD 3, RFC 1123,
DOI 10.17487/RFC1123, October 1989, DOI 10.17487/RFC1123, October 1989,
<https://www.rfc-editor.org/info/rfc1123>. <https://www.rfc-editor.org/info/rfc1123>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
skipping to change at page 45, line 50 skipping to change at page 46, line 37
[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Message Syntax and Routing", Protocol (HTTP/1.1): Message Syntax and Routing",
RFC 7230, DOI 10.17487/RFC7230, June 2014, RFC 7230, DOI 10.17487/RFC7230, June 2014,
<https://www.rfc-editor.org/info/rfc7230>. <https://www.rfc-editor.org/info/rfc7230>.
[RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Semantics and Content", RFC 7231, Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
DOI 10.17487/RFC7231, June 2014, DOI 10.17487/RFC7231, June 2014,
<https://www.rfc-editor.org/info/rfc7231>. <https://www.rfc-editor.org/info/rfc7231>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>.
[SERVICE-WORKERS] [SERVICE-WORKERS]
Russell, A., Song, J., and J. Archibald, "Service Russell, A., Song, J., and J. Archibald, "Service
Workers", n.d., <http://www.w3.org/TR/service-workers/>. Workers", n.d., <http://www.w3.org/TR/service-workers/>.
[USASCII] American National Standards Institute, "Coded Character [USASCII] American National Standards Institute, "Coded Character
Set -- 7-bit American Standard Code for Information Set -- 7-bit American Standard Code for Information
Interchange", ANSI X3.4, 1986. Interchange", ANSI X3.4, 1986.
10.2. Informative References 10.2. Informative References
skipping to change at page 47, line 5 skipping to change at page 47, line 47
[I-D.ietf-httpbis-cookie-same-site] [I-D.ietf-httpbis-cookie-same-site]
West, M. and M. Goodwin, "Same-Site Cookies", draft-ietf- West, M. and M. Goodwin, "Same-Site Cookies", draft-ietf-
httpbis-cookie-same-site-00 (work in progress), June 2016. httpbis-cookie-same-site-00 (work in progress), June 2016.
[prerendering] [prerendering]
Bentzel, C., "Chrome Prerendering", n.d., Bentzel, C., "Chrome Prerendering", n.d.,
<https://www.chromium.org/developers/design-documents/ <https://www.chromium.org/developers/design-documents/
prerender>. prerender>.
[PSL] "Public Suffix List", n.d.,
<https://publicsuffix.org/list/>.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818,
DOI 10.17487/RFC2818, May 2000, DOI 10.17487/RFC2818, May 2000,
<https://www.rfc-editor.org/info/rfc2818>. <https://www.rfc-editor.org/info/rfc2818>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
2003, <https://www.rfc-editor.org/info/rfc3629>. 2003, <https://www.rfc-editor.org/info/rfc3629>.
[RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration
Procedures for Message Header Fields", BCP 90, RFC 3864, Procedures for Message Header Fields", BCP 90, RFC 3864,
skipping to change at page 47, line 52 skipping to change at page 48, line 48
June 2016, <http://unicode.org/reports/tr46/>. June 2016, <http://unicode.org/reports/tr46/>.
10.3. URIs 10.3. URIs
[1] https://lists.w3.org/Archives/Public/ietf-http-wg/ [1] https://lists.w3.org/Archives/Public/ietf-http-wg/
[2] http://httpwg.github.io/ [2] http://httpwg.github.io/
[3] https://github.com/httpwg/http-extensions/labels/6265bis [3] https://github.com/httpwg/http-extensions/labels/6265bis
[4] https://github.com/httpwg/http-extensions/issues/243 [4] https://www.iana.org/assignments/cookie-attribute-names
[5] https://github.com/httpwg/http-extensions/issues/246 [5] https://github.com/httpwg/http-extensions/issues/243
[6] https://www.rfc-editor.org/errata_search.php?rfc=6265 [6] https://github.com/httpwg/http-extensions/issues/246
[7] https://github.com/httpwg/http-extensions/issues/247 [7] https://www.rfc-editor.org/errata_search.php?rfc=6265
[8] https://github.com/httpwg/http-extensions/issues/201 [8] https://github.com/httpwg/http-extensions/issues/247
[9] https://github.com/httpwg/http-extensions/issues/204 [9] https://github.com/httpwg/http-extensions/issues/201
[10] https://github.com/httpwg/http-extensions/issues/222 [10] https://github.com/httpwg/http-extensions/issues/204
[11] https://github.com/httpwg/http-extensions/issues/248 [11] https://github.com/httpwg/http-extensions/issues/222
[12] https://github.com/httpwg/http-extensions/issues/295 [12] https://github.com/httpwg/http-extensions/issues/248
[13] https://github.com/httpwg/http-extensions/issues/302 [13] https://github.com/httpwg/http-extensions/issues/295
[14] https://github.com/httpwg/http-extensions/issues/389 [14] https://github.com/httpwg/http-extensions/issues/302
[15] https://github.com/httpwg/http-extensions/issues/199 [15] https://github.com/httpwg/http-extensions/issues/389
[16] https://github.com/httpwg/http-extensions/issues/788 [16] https://github.com/httpwg/http-extensions/issues/199
[17] https://github.com/httpwg/http-extensions/issues/594 [17] https://github.com/httpwg/http-extensions/issues/788
[18] https://github.com/httpwg/http-extensions/issues/159 [18] https://github.com/httpwg/http-extensions/issues/594
[19] https://github.com/httpwg/http-extensions/issues/159 [19] https://github.com/httpwg/http-extensions/issues/159
[20] https://github.com/httpwg/http-extensions/issues/901 [20] https://github.com/httpwg/http-extensions/issues/159
[21] https://github.com/httpwg/http-extensions/pull/1035 [21] https://github.com/httpwg/http-extensions/issues/901
[22] https://github.com/httpwg/http-extensions/pull/1038 [22] https://github.com/httpwg/http-extensions/pull/1035
[23] https://github.com/httpwg/http-extensions/pull/1040 [23] https://github.com/httpwg/http-extensions/pull/1038
[24] https://github.com/httpwg/http-extensions/pull/1047 [24] https://github.com/httpwg/http-extensions/pull/1040
[25] https://github.com/httpwg/http-extensions/pull/1047
[26] https://github.com/httpwg/http-extensions/issues/1059
[27] https://github.com/httpwg/http-extensions/issues/1158
[28] https://github.com/httpwg/http-extensions/pull/1060
[29] https://github.com/httpwg/http-extensions/issues/1074
[30] https://github.com/httpwg/http-extensions/issues/1119
[31] https://github.com/httpwg/http-extensions/pull/1143
[32] https://github.com/httpwg/http-extensions/issues/1159
Appendix A. Changes Appendix A. Changes
A.1. draft-ietf-httpbis-rfc6265bis-00 A.1. draft-ietf-httpbis-rfc6265bis-00
o Port [RFC6265] to Markdown. No (intentional) normative changes. o Port [RFC6265] to Markdown. No (intentional) normative changes.
A.2. draft-ietf-httpbis-rfc6265bis-01 A.2. draft-ietf-httpbis-rfc6265bis-01
o Fixes to formatting caused by mistakes in the initial port to o Fixes to formatting caused by mistakes in the initial port to
Markdown: Markdown:
* https://github.com/httpwg/http-extensions/issues/243 [4] * https://github.com/httpwg/http-extensions/issues/243 [5]
* https://github.com/httpwg/http-extensions/issues/246 [5] * https://github.com/httpwg/http-extensions/issues/246 [6]
o Addresses errata 3444 by updating the "path-value" and "extension- o Addresses errata 3444 by updating the "path-value" and "extension-
av" grammar, errata 4148 by updating the "day-of-month", "year", av" grammar, errata 4148 by updating the "day-of-month", "year",
and "time" grammar, and errata 3663 by adding the requested note. and "time" grammar, and errata 3663 by adding the requested note.
https://www.rfc-editor.org/errata_search.php?rfc=6265 [6] https://www.rfc-editor.org/errata_search.php?rfc=6265 [7]
o Dropped "Cookie2" and "Set-Cookie2" from the IANA Considerations o Dropped "Cookie2" and "Set-Cookie2" from the IANA Considerations
section: https://github.com/httpwg/http-extensions/issues/247 [7] section: https://github.com/httpwg/http-extensions/issues/247 [8]
o Merged the recommendations from [I-D.ietf-httpbis-cookie-alone], o Merged the recommendations from [I-D.ietf-httpbis-cookie-alone],
removing the ability for a non-secure origin to set cookies with a removing the ability for a non-secure origin to set cookies with a
'secure' flag, and to overwrite cookies whose 'secure' flag is 'secure' flag, and to overwrite cookies whose 'secure' flag is
true. true.
o Merged the recommendations from o Merged the recommendations from
[I-D.ietf-httpbis-cookie-prefixes], adding "__Secure-" and [I-D.ietf-httpbis-cookie-prefixes], adding "__Secure-" and
"__Host-" cookie name prefix processing instructions. "__Host-" cookie name prefix processing instructions.
A.3. draft-ietf-httpbis-rfc6265bis-02 A.3. draft-ietf-httpbis-rfc6265bis-02
o Merged the recommendations from o Merged the recommendations from
[I-D.ietf-httpbis-cookie-same-site], adding support for the [I-D.ietf-httpbis-cookie-same-site], adding support for the
"SameSite" attribute. "SameSite" attribute.
o Closed a number of editorial bugs: o Closed a number of editorial bugs:
* Clarified address bar behavior for SameSite cookies: * Clarified address bar behavior for SameSite cookies:
https://github.com/httpwg/http-extensions/issues/201 [8] https://github.com/httpwg/http-extensions/issues/201 [9]
* Added the word "Cookies" to the document's name: * Added the word "Cookies" to the document's name:
https://github.com/httpwg/http-extensions/issues/204 [9] https://github.com/httpwg/http-extensions/issues/204 [10]
* Clarified that the "__Host-" prefix requires an explicit "Path" * Clarified that the "__Host-" prefix requires an explicit "Path"
attribute: https://github.com/httpwg/http-extensions/issues/222 attribute: https://github.com/httpwg/http-extensions/issues/222
[10] [11]
* Expanded the options for dealing with third-party cookies to * Expanded the options for dealing with third-party cookies to
include a brief mention of partitioning based on first-party: include a brief mention of partitioning based on first-party:
https://github.com/httpwg/http-extensions/issues/248 [11] https://github.com/httpwg/http-extensions/issues/248 [12]
* Noted that double-quotes in cookie values are part of the * Noted that double-quotes in cookie values are part of the
value, and are not stripped: https://github.com/httpwg/http- value, and are not stripped: https://github.com/httpwg/http-
extensions/issues/295 [12] extensions/issues/295 [13]
* Fixed the "site for cookies" algorithm to return something that * Fixed the "site for cookies" algorithm to return something that
makes sense: https://github.com/httpwg/http-extensions/ makes sense: https://github.com/httpwg/http-extensions/
issues/302 [13] issues/302 [14]
A.4. draft-ietf-httpbis-rfc6265bis-03 A.4. draft-ietf-httpbis-rfc6265bis-03
o Clarified handling of invalid SameSite values: o Clarified handling of invalid SameSite values:
https://github.com/httpwg/http-extensions/issues/389 [14] https://github.com/httpwg/http-extensions/issues/389 [15]
o Reflect widespread implementation practice of including a cookie's o Reflect widespread implementation practice of including a cookie's
"host-only-flag" when calculating its uniqueness: "host-only-flag" when calculating its uniqueness:
https://github.com/httpwg/http-extensions/issues/199 [15] https://github.com/httpwg/http-extensions/issues/199 [16]
o Introduced an explicit "None" value for the SameSite attribute: o Introduced an explicit "None" value for the SameSite attribute:
https://github.com/httpwg/http-extensions/issues/788 [16] https://github.com/httpwg/http-extensions/issues/788 [17]
A.5. draft-ietf-httpbis-rfc6265bis-04 A.5. draft-ietf-httpbis-rfc6265bis-04
o Allow "SameSite" cookies to be set for all top-level navigations. o Allow "SameSite" cookies to be set for all top-level navigations.
https://github.com/httpwg/http-extensions/issues/594 [17] https://github.com/httpwg/http-extensions/issues/594 [18]
o Treat "Set-Cookie: token" as creating the cookie "("", "token")": o Treat "Set-Cookie: token" as creating the cookie "("", "token")":
https://github.com/httpwg/http-extensions/issues/159 [18] https://github.com/httpwg/http-extensions/issues/159 [19]
o Reject cookies with neither name nor value (e.g. "Set-Cookie: =" o Reject cookies with neither name nor value (e.g. "Set-Cookie: ="
and "Set-Cookie:": https://github.com/httpwg/http-extensions/ and "Set-Cookie:": https://github.com/httpwg/http-extensions/
issues/159 [19] issues/159 [20]
o Clarified behavior of multiple "SameSite" attributes in a cookie o Clarified behavior of multiple "SameSite" attributes in a cookie
string: https://github.com/httpwg/http-extensions/issues/901 [20] string: https://github.com/httpwg/http-extensions/issues/901 [21]
A.6. draft-ietf-httpbis-rfc6265bis-05 A.6. draft-ietf-httpbis-rfc6265bis-05
o Typos and editorial fixes: https://github.com/httpwg/http- o Typos and editorial fixes: https://github.com/httpwg/http-
extensions/pull/1035 [21], https://github.com/httpwg/http- extensions/pull/1035 [22], https://github.com/httpwg/http-
extensions/pull/1038 [22], https://github.com/httpwg/http- extensions/pull/1038 [23], https://github.com/httpwg/http-
extensions/pull/1040 [23], https://github.com/httpwg/http- extensions/pull/1040 [24], https://github.com/httpwg/http-
extensions/pull/1047 [24]. extensions/pull/1047 [25].
A.7. draft-ietf-httpbis-rfc6265bis-06
o Editorial fixes: https://github.com/httpwg/http-extensions/
issues/1059 [26], https://github.com/httpwg/http-extensions/
issues/1158 [27].
o Created a registry for cookie attribute names:
https://github.com/httpwg/http-extensions/pull/1060 [28].
o Tweaks to ABNF for "cookie-pair" and the "Cookie" header
production: https://github.com/httpwg/http-extensions/issues/1074
[29], https://github.com/httpwg/http-extensions/issues/1119 [30].
o Fixed serialization for nameless/valueless cookies:
https://github.com/httpwg/http-extensions/pull/1143 [31].
o Converted a normative reference to Mozilla's Public Suffix List
[PSL] into an informative reference: https://github.com/httpwg/
http-extensions/issues/1159 [32].
Acknowledgements Acknowledgements
RFC 6265 was written by Adam Barth. This document is a minor update RFC 6265 was written by Adam Barth. This document is a minor update
of RFC 6265, adding small features, and aligning the specification of RFC 6265, adding small features, and aligning the specification
with the reality of today's deployments. Here, we're standing upon with the reality of today's deployments. Here, we're standing upon
the shoulders of a giant since the majority of the text is still the shoulders of a giant since the majority of the text is still
Adam's. Adam's.
Authors' Addresses Authors' Addresses
 End of changes. 61 change blocks. 
124 lines changed or deleted 201 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/